/predator

A Shape Analyzer Based on Symbolic Memory Graphs

Primary LanguageCGNU General Public License v3.0GPL-3.0

Predator and Forester
=====================
Predator is a tool for automated formal verification of sequential C programs
operating with pointers and linked lists. The core algorithms of Predator were
originally inspired by works on *separation logic* with higher-order list
predicates, but they are now purely graph-based and significantly extended to
support various forms of low-level memory manipulation used in system-level
code.  Such operations include pointer arithmetic, safe usage of invalid
pointers, block operations with memory, reinterpretation of the memory contents,
address alignment, etc.  The tool can be loaded into *GCC* as a *plug-in*.  This
way you can easily analyse C code sources, using the existing build system,
without manually preprocessing them first.  The analysis itself is, however, not
ready for complex projects yet.  You can find the latest news on the following
project page:

    http://www.fit.vutbr.cz/research/groups/verifit/tools/predator

Forester is an experimental tool for checking manipulation of dynamic data
structures using *forest automata*.  As in case of Predator, it can be loaded
directly into *GCC* as a *plug-in* to analyse C code sources.  However, the
analysis itself is not yet mature enough to be able to verify ordinary programs.
You can find the latest news on the following project page:

    http://www.fit.vutbr.cz/research/groups/verifit/tools/forester

Predator and Forester are licensed as GPLv3+, see COPYING for details.  The GCC
(or LLVM) plug-ins are based on Code Listener infrastructure (included).
Although the tools are intended to be as portable as GCC is, we support Darwin
and Linux for now.

Building from sources against the system GCC
============================================
This method requires a build of GCC with plug-in support compiled in (not
necessarily the system one).  The currently supported version of GCC is 8.3.0
and the test-suite is guaranteed to fully succeed only against this version
of GCC.  However, the Predator plug-in itself is known to work well also with
other GCC versions ranging from 4.5.0 to 9.2.0.

(1) Install all dependences of Predator and Forester
----------------------------------------------------
   * C/C++ compiler
     - Predator currently supports GCC 4.1.2+ and Clang 3.2+
     - the other analyzers are known to work with GCC 4.6.4+
     - try to install 'g++' on Ubuntu, or 'gcc-c++' (or 'clang') on Fedora

   * CMake 2.8+
     - available at http://www.cmake.org
     - the executable is called 'cmake'
     - usually provided by a package called 'cmake'

   * Boost libraries 1.37+
     - available at http://www.boost.org/
     - package is usually called 'boost'
     - on binary distros you may need also the 'boost-devel' sub-package

   * 32bit system headers, especially in case of 64bit OS
     - on Debian provided by a package called 'g++-4.9-multilib'
     - you can try to check their presence
       by 'echo "#include <new>" | gcc -m32 -c -xc++ -'

(2) Build Predator and Forester from sources
--------------------------------------------
You can use the 'switch-host-gcc.sh' script to rebuild Code Listener, Predator,
and Forester against a GCC build of your choice.  For details, please run
'switch-host-gcc.sh' without any arguments.  The script needs to be run in the
same directory as this README is.  If it fails, make sure your environment is
sane.  Especially check the PATH and LD_LIBRARY_PATH environment variables.
On recent Linux distributions, you can simply use the following command:

    ./switch-host-gcc.sh /usr/bin/gcc

(3) Prepare environment for running Predator/Forester transparently [optional]
------------------------------------------------------------------------------
To employ the Predator plug-in in a build of an arbitrary project fully
transparently, it is recommended to set certain environment variables.  You can
use the script register-paths.sh to do this automatically.

    . sl_build/register-paths.sh

Then you can simply use the '-fplugin' option of GCC as documented in the gcc(1)
man page:

    gcc -fplugin=libsl.so ...

This will show you the available options of the Predator plug-in itself:

    echo please help | gcc -fplugin=libsl.so -fplugin-arg-libsl-help -xc -

Analogically to Predator you can also set up the environment for Forester by
running the following script:

    . fa_build/register-paths.sh

... and show the available options of the Forester plug-in by:

    echo please help | gcc -fplugin=libfa.so -fplugin-arg-libfa-help -xc -

Building from sources against the system LLVM [experimental]
=============================================================
The currently supported version of LLVM is 10.0.0 and the test-suite is
guaranteed to fully succeed only against this version of LLVM after applying
the patch 'build-aux/llvm.patch'.

(1) Install all dependences of Predator
---------------------------------------
   * C/C++ compiler, CMake 2.8+ and Boost libraries 1.37+
     - same as for GCC

   * LLVM develop library and header files
     - on Fedora provided by a package called 'llvm-devel'

(2) Build Predator from sources
-------------------------------
You can use the 'switch-host-llvm.sh' script to rebuild Code Listener and
Predator against a LLVM build of your choice.  For details, please run
'switch-host-llvm.sh' without any arguments.  The script needs to be run in the
same directory as this README is.  If it fails, make sure your environment is
sane.  Especially check the PATH and LD_LIBRARY_PATH environment variables.
On recent Linux distributions, you can simply use the following command:

    make llvm
or
    ./switch-host-llvm.sh /usr/share/llvm/cmake

(3) Usage
---------
Create bitecode file:

    clang -g -S -emit-llvm source.c -o source.bc

Starting analysis:

    opt source.bc -o /dev/null -lowerswitch -load ./sl_build/libsl.so -sl -help

Or directly (without additional options) [only on Linux]:

    clang -g source.c -Xclang -load -Xclang ./sl_build/libsl.so

Dependencies for Darwin (MacOSX)
================================
GCC plug-in has .so suffix and LLVM plug-in has .dylib suffix as usual for
Darwin.  You can install some of these dependencies using Homebrew available at
https://brew.sh/:

    brew install cmake boost boost-build
    brew install gcc@8                   # only for GCC plug-in
    brew install llvm@10                 # only for LLVM plug-in
    brew install coreutils               # only for scripts: gtimeout, gstdbuf

The currently supported version of GCC is 8.4.0.
The currently supported version of LLVM is 10.0.0.

Building GCC from sources [emergency solution]
==============================================
Use this if your system GCC does not support loading (or building) GCC plug-ins.

(1) Install all dependences of GCC
----------------------------------
   * GMP library
     - available at http://gmplib.org/
     - package is usually called 'gmp'
     - on binary distros you may need also the 'gmp-devel' sub-package

   * MPC library
     - available at http://www.multiprecision.org/
     - package is usually called 'mpc' or 'libmpc'
     - on binary distros you may need also the 'libmpc-devel' sub-package

   * MPFR library
     - available at http://www.mpfr.org/
     - package is usually called 'mpfr'
     - on binary distros you may need also the 'mpfr-devel' sub-package

(2) Build the GCC compiler from sources
---------------------------------------
This step requires approximately 2 GB of free disk space.  The following command
downloads the sources of a stable GCC release, builds them in a minimalistic way
and install them into a local directory:

    make build_gcc

The above step is the most time-consuming step, which can take from 5 minutes to
several hours, depending on your network bandwidth, machine performance and the
current load of the machine.  The download step can be accelerated by selecting
a closer mirror to download GCC from.  The build step can be accelerated by
giving the option '-jN' to 'make', where N is the number of CPU cores plus one
(a commonly used heuristic, there exist several others).  But first make sure
that your machine has enough resources for building GCC in parallel.